Classification: UNCLASSIFIED Caveats: NONE
Hi, I'm continuing implementing WS-security using PolicyHandler framework in Tuscany 1.6.1. I found that when SOAPFault is generated, the PolicyHandler.afterInvoke() is skipped. This is true on both the service and reference side. This scenario on the service side is the following: beforeInvoke() fails the security check and throws RuntimeException. This causes Tuscany runtime to skip calling PolicyHandler.afterInvoke() on the return direction of both service side and the reference side, which is trying to access the service. On the wire, Tuscany runtime did generate a SOAPFault body for the response. This causes several problems: 1. The service side and the reference side (client) did not have an opportunity to do WS-security processing for the return direction. 2. The audit system also missed some opportunities to audit the failure. On a slightly different but related topic, what is the right exception handling for PolicyHandler? PolicyHandler.before/afterInvoke() signature did not declare any exception. So I could only throw RuntimeException. That causes the control to end up in Axis2ServiceInOutSyncMessageReceiver.invokeBusinessLogic()'s catch block and therefore missed the PolicyHandler.afterInvoke(). I think PolicyHandler API should declare specific exceptions with defined meanings so the users knows what to do. Thanks, Gang Classification: UNCLASSIFIED Caveats: NONE
